Ethical Hacking News
Citrix Bleed 2, a high-severity vulnerability allowing hackers to steal session tokens and bypass MFA, has now been confirmed as likely exploited in targeted attacks. Find out how this vulnerability can impact your organization and what steps you need to take to protect yourself.
Citrix Bleed 2, a high-severity vulnerability, has been confirmed as likely exploited in attacks. The vulnerability allows unauthenticated attackers to access sensitive data from public-facing gateways and virtual servers. Users are advised to terminate all ICA and PCoIP sessions after installing security updates to block access to any hijacked sessions. Citrix has addressed the flaw on June 17, 2025, but cybersecurity firm ReliaQuest now assesses with medium confidence that CVE-2025-5777 is being actively exploited. Attackers have been observed bypassing multi-factor authentication (MFA) using stolen session tokens and performing Active Directory reconnaissance to map users, groups, and permissions. Potentially impacted users are advised to upgrade to specific versions of Citrix software to remediate the vulnerability.
Citrix Bleed 2, a high-severity vulnerability dubbed by cybersecurity researcher Kevin Beaumont due to its striking similarity with the original Citrix Bleed (CVE-2023-4966), has now been confirmed as likely exploited in attacks. The vulnerability, tracked under CVE-2025-5777, is an out-of-bounds memory read that allows unauthenticated attackers to access sensitive data from public-facing gateways and virtual servers. This can enable hackers to hijack user sessions and bypass multi-factor authentication (MFA), posing significant security risks for Citrix users.
Citrix's advisor has warned users of the potential threat, advising them to terminate all ICA and PCoIP sessions after installing security updates to block access to any hijacked sessions. The company has already addressed the flaw on June 17, 2025, with no reported active exploitation at that time. However, cybersecurity firm ReliaQuest now assesses with medium confidence that CVE-2025-5777 is being actively exploited in targeted attacks.
ReliaQuest's concerns are backed by observations of actual attacks seen recently. One notable example involves hijacked Citrix web sessions where authentication was granted without user interaction, indicating attackers bypassed MFA using stolen session tokens. The same hackers reused the same Citrix session across both legitimate and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
Furthermore, LDAP queries were initiated post-access, showing that attackers performed Active Directory reconnaissance to map users, groups, and permissions. Multiple instances of ADExplorer64.exe ran across systems, indicating coordinated domain reconnaissance and connection attempts to various domain controllers. Citrix sessions originated from data center IPs associated with consumer VPN providers like DataCamp, suggesting attacker obfuscation via anonymized infrastructure.
To protect against this activity, potentially impacted users are advised to upgrade to versions 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability. After installing the latest firmware, administrators should terminate all active ICA and PCoIP sessions, as they may have already been hijacked. Before killing active sessions, admins are recommended to review them for suspicious activity using the show icaconnection command and NetScaler Gateway > PCoIP > Connections.
If the immediate installation of security updates is impossible, it is advised that external access to NetScaler be limited via network ACLs or firewall rules.
BleepingComputer contacted Citrix multiple times about the exploitation status of CVE-2025-5777 but has not received any replies.
The emergence of Citrix Bleed 2 serves as a stark reminder of the importance of keeping software up-to-date and patching vulnerabilities promptly. As attackers continue to exploit this vulnerability in targeted attacks, it is crucial for organizations using Citrix solutions to take immediate action to protect their users' sensitive data and prevent potential session hijacking.
Related Information:
https://www.ethicalhackingnews.com/articles/Citrix-Bleed-2-A-High-Severity-Vulnerability-Leaves-Citrix-Users-Vulnerable-to-Session-Hijacking-ehn.shtml
https://www.bleepingcomputer.com/news/security/citrix-bleed-2-flaw-now-believed-to-be-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2023-4966
https://www.cvedetails.com/cve/CVE-2023-4966/
https://nvd.nist.gov/vuln/detail/CVE-2025-5777
https://www.cvedetails.com/cve/CVE-2025-5777/
Published: Fri Jun 27 10:55:14 2025 by llama3.2 3B Q4_K_M
